credentials.h revision a1401311d1ab56c4ed0a474bd38c108f75cb0cd9 
1// Copyright (c) 2013 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef SANDBOX_LINUX_SERVICES_CREDENTIALS_H_
6#define SANDBOX_LINUX_SERVICES_CREDENTIALS_H_
7
8#include "build/build_config.h"
9// Link errors are tedious to track, raise a compile-time error instead.
10#if defined(OS_ANDROID)
11#error "Android is not supported."
12#endif  // defined(OS_ANDROID).
13
14#include <string>
15
16#include "base/basictypes.h"
17#include "base/memory/scoped_ptr.h"
18
19namespace sandbox {
20
21// This class should be used to manipulate the current process' credentials.
22// It is currently a stub used to manipulate POSIX.1e capabilities as
23// implemented by the Linux kernel.
24class Credentials {
25 public:
26  Credentials();
27  ~Credentials();
28
29  // Checks whether the current process has any directory file descriptor open.
30  // Directory file descriptors are "capabilities" that would let a process use
31  // system calls such as openat() to bypass restrictions such as
32  // DropFileSystemAccess().
33  // Sometimes it's useful to call HasOpenDirectory() after file system access
34  // has been dropped. In this case, |proc_fd| should be a file descriptor to
35  // /proc. The file descriptor in |proc_fd| will be ignored by
36  // HasOpenDirectory() and remains owned by the caller. It is very important
37  // for the caller to close it.
38  // If /proc is available, |proc_fd| can be passed as -1.
39  // If |proc_fd| is -1 and /proc is not available, this function will return
40  // false.
41  bool HasOpenDirectory(int proc_fd);
42
43  // Drop all capabilities in the effective, inheritable and permitted sets for
44  // the current process.
45  bool DropAllCapabilities();
46  // Return true iff there is any capability in any of the capabilities sets
47  // of the current process.
48  bool HasAnyCapability() const;
49  // Returns the capabilities of the current process in textual form, as
50  // documented in libcap2's cap_to_text(3). This is mostly useful for
51  // debugging and tests.
52  scoped_ptr<std::string> GetCurrentCapString() const;
53
54  // Returns whether the kernel supports CLONE_NEWUSER and whether it would be
55  // possible to immediately move to a new user namespace. There is no point
56  // in using this method right before calling MoveToNewUserNS(), simply call
57  // MoveToNewUserNS() immediately. This method is only useful to test kernel
58  // support ahead of time.
59  static bool SupportsNewUserNS();
60
61  // Move the current process to a new "user namespace" as supported by Linux
62  // 3.8+ (CLONE_NEWUSER).
63  // The uid map will be set-up so that the perceived uid and gid will not
64  // change.
65  // If this call succeeds, the current process will be granted a full set of
66  // capabilities in the new namespace.
67  bool MoveToNewUserNS();
68
69  // Remove the ability of the process to access the file system. File
70  // descriptors which are already open prior to calling this API remain
71  // available.
72  // The implementation currently uses chroot(2) and requires CAP_SYS_CHROOT.
73  // CAP_SYS_CHROOT can be acquired by using the MoveToNewUserNS() API.
74  // Make sure to call DropAllCapabilities() after this call to prevent
75  // escapes.
76  // To be secure, it's very important for this API to not be called while the
77  // process has any directory file descriptor open.
78  bool DropFileSystemAccess();
79
80 private:
81  DISALLOW_COPY_AND_ASSIGN(Credentials);
82};
83
84}  // namespace sandbox.
85
86#endif  // SANDBOX_LINUX_SERVICES_CREDENTIALS_H_
87